PSD3 And PSR – Implementation And Implications For The Swiss FinTech Industry

A Legal Assessment from a Swiss Perspective

Abstract

With the legislative package presented by the European Commission in June 2023 on the Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR), EU payment services regulation is facing its most comprehensive reform since 2015. The proposals were adopted by the European Parliament at first reading in April 2024; trilogue negotiations are underway, with application expected from 2026/2027. For Switzerland, which as a third country is under no obligation to transpose these rules, the question arises as to the extent to which the new regulations will have a legal, practical and economic impact on the domestic financial centre and, in particular, on the FinTech industry. This article analyses the key innovations of PSD3/PSR, places them within the Swiss legal framework, and identifies strategic options for Swiss payment service providers, banks and FinTechs.

1. Introduction and Context

The Payment Services Directive (EU) 2015/2366 (PSD2) has had a lasting impact on the European payment services market: it introduced Open Banking, regulated new actors such as payment initiation service providers (PISPs) and account information service providers (AISPs), and significantly strengthened consumer protection in digital payments through strong customer authentication (SCA). Despite these achievements, the EU Commission’s evaluation revealed significant weaknesses: inconsistent transposition across Member States, unclear interfaces with the E-Money Directive (2009/110/EC), new fraud phenomena (in particular Authorised Push Payment Fraud, APP Fraud), and only sluggish market penetration of Open Banking services.

Against this backdrop, the EU Commission presented a reform package on 28 June 2023 consisting of two legal acts: a third Payment Services Directive (PSD3), which harmonises national supervisory regimes, and a directly applicable Payment Services Regulation (PSR), which standardises the operational obligations of market participants across the EU. The package is supplemented by a proposal for a Regulation on a framework for financial data access (Financial Data Access, FIDA), which aims to extend Open Banking into a comprehensive Open Finance framework.

For Switzerland, the reform is of considerable practical significance. The domestic financial centre is closely intertwined with the EU market, and Swiss FinTechs generally operate on a cross-border basis. The question of whether and how the new EU standards must be reflected in Swiss law is therefore not merely academic, but strategic.

2. The EU Reform Package at a Glance

2.1 Architecture: Directive and Regulation

The central structural innovation lies in the division of the existing PSD2 framework into two legal instruments. While PSD3, as a directive, continues to require transposition into national law and in particular governs the licensing and supervisory rules for payment institutions, the PSR, as a regulation, will be directly applicable in all Member States and will standardise the operational conduct requirements, transparency obligations and liability rules. By doing so, the EU legislator is responding to the inconsistent transposition of PSD2 and is creating a uniform set of obligations for all payment service providers.

2.2 Integration of the E-Money Directive

PSD3 integrates the regime of the E-Money Directive into the framework for payment institutions. Instead of two parallel licence types (payment institution and e-money institution), there will in future be only the payment institution, with a separate category for the issuance of e-money. This consolidation eliminates regulatory duplication and simplifies the licensing process. Existing e-money institutions will be transitioned to the new regime under transitional provisions.

2.3 Enhanced Fraud Protection

A key focus of the reform is the combating of APP Fraud. The PSR provides in particular for the following measures:

• IBAN-Name Check: Obligation on payment service providers to verify, prior to executing a transfer, whether the payee name entered by the payer matches the name registered to the payee’s IBAN, and to report any discrepancies.
• Extended Liability: Reimbursement claims by payers in cases of identity fraud where fraudsters impersonate employees of the payment service provider (spoofing), subject to specified conditions.
• Information Exchange: An express legal basis for the exchange of fraud-related information between payment service providers, with clarifications on GDPR compliance.
• Transaction Monitoring: Obligation to maintain robust mechanisms for fraud detection and prevention, including the use of pattern recognition and machine learning.

2.4 Open Banking 2.0

In the area of Open Banking, the PSR addresses the frictions encountered in practice. Banks must provide dedicated interfaces (Dedicated Interfaces / APIs) whose availability, performance and functionality meet standardised minimum requirements. The previous option of a fallback to the online banking interface (screen scraping) will be abolished in principle, but the obligations of account-holding institutions regarding availability and data quality will be significantly tightened. In addition, the FIDA Regulation expands data access to further financial products (insurance, investments, mortgages, pensions), with a contract-based model using Financial Data Sharing Schemes envisaged.

2.5 Strong Customer Authentication (SCA)

SCA is retained but further developed in a practice-oriented manner on several points. In particular, the accessibility requirements for persons with disabilities, older persons and those without smartphones will be specified. Furthermore, outsourcing arrangements (such as authentication service providers) will be more clearly regulated.

2.6 Access to Payment Systems and Accounts

Non-bank payment service providers will receive facilitated access to payment systems operated by central banks as well as to accounts at credit institutions. The latter addresses the significant practical problem of so-called de-risking, whereby banks refuse to open accounts for FinTechs or terminate business relationships on risk or compliance grounds. In future, banks must provide written reasons for any such refusal, and supervisory authorities will be given intervention powers.

3. The Swiss Legal Framework for Payment Services

3.1 Guiding Principle: Liberal and Principles-Based Law

Switzerland does not have a sector-specific payment services law comparable to PSD2/PSD3. Instead, payment services are governed by a mosaic of provisions from various statutes:

• Banking Act (BankG): A licensing requirement applies where a payment service provider professionally accepts public deposits. The FinTech licence under Art. 1b BankG permits the acceptance of public deposits up to CHF 100 million under simplified conditions.
• Financial Market Infrastructure Act (FinfraG): 81 FinfraG defines payment systems; Art. 4(2) FinfraG provides for a licensing requirement only where the proper functioning of the financial market or the protection of financial market participants so requires and the system is not operated by a bank.
• Anti-Money Laundering Act (GwG): Payment service providers regularly qualify as financial intermediaries within the meaning of Art. 2(3) GwG and are therefore subject to due diligence and reporting obligations as well as the obligation to affiliate with a self-regulatory organisation (SRO) or to submit to direct FINMA supervision.
• Consumer Credit Act (KKG) and Code of Obligations (OR): General civil law provisions, notably on mandate (Art. 394 et seq. OR) and assignment (Art. 466 et seq. OR), form the contractual foundation for payment services.
• Data Protection Act (revDSG): The revised Data Protection Act, which entered into force on 1 September 2023, applies to the processing of payment and customer data.

3.2 Case Law on Licensing Requirements for Payment Systems

The Federal Administrative Court, in its judgment BVGer B-3873/2022, confirmed the liberal approach of Swiss payment system regulation. It held that the operation of a payment system generally does not engage the protective purpose of FinfraG, and that the licensing requirement under Art. 4(2) FinfraG constitutes an exception requiring justification. What is required is the relevance of the system to the proper functioning of the financial market or the protection of financial market participants; mere market participation without systemic significance does not suffice.

The Federal Supreme Court had previously held in its judgment BGer 2C_345/2015 – still under the old Banking Act, but with continuing relevance for FinfraG – that Swiss regulation of electronic payment instruments is designed considerably more liberally than EU law, and that the issuance and administration of electronic payment instruments is in principle permissible without a licence, provided no special statutory requirements are met.

3.3 Planned Clarification

The Federal Council has announced a revision of FinfraG, under which the indeterminate legal concepts in Art. 4(2) FinfraG are to be specified through quantitative thresholds (in particular transaction volumes). This is intended to increase legal certainty for providers without abandoning the principle that non-systemically relevant payment systems are exempt from licensing. An adoption of the EU model of a blanket licensing requirement for all payment service providers is not under consideration.

4. Direct Applicability of PSD3/PSR in Switzerland?

4.1 Principle of Sovereignty

As a third country, Switzerland is obliged neither by a bilateral nor by a multilateral agreement to transpose EU secondary law in the field of financial services. The bilateral agreements between Switzerland and the EU do not contain a market access agreement for financial services. PSD3 and PSR will therefore have no direct effect in Switzerland. Swiss payment service providers are primarily governed by Swiss law.

4.2 De Facto Binding Effect Through Market Access

This legal independence should not obscure the de facto binding effect of EU law. Swiss payment service providers wishing to offer their services in the EEA or operate on a cross-border basis in EU Member States must fully comply with the requirements of PSD3/PSR. This concerns in particular:

• obtaining an EU payment institution licence in a Member State (often through a subsidiary, for example in Luxembourg, Ireland or Lithuania);
• complying with the operational requirements of the PSR in cross-border business;
• adapting terms and conditions, authentication procedures and fraud prevention systems to EU standards.

In practice, this means that many Swiss FinTechs must manage a dual regulatory regime: Swiss law for domestic business, European law for international business.

4.3 Autonomous Adoption

In financial market law, Switzerland traditionally pursues a policy of autonomous adoption (autonomer Nachvollzug). This means that the Swiss legislator voluntarily adopts EU regulations in substance or at least provides equivalent solutions in order to preserve the equivalence of Swiss law and to avoid competitive disadvantages. Illustrative examples include the adoption of key MiFID II standards in the Financial Services Act (FIDLEG) or the alignment of anti-money laundering rules with FATF and EU standards. Art. 82 FinfraG expressly empowers the Federal Council to enact regulations implementing recognised international standards.

Whether and to what extent Switzerland will autonomously adopt the substance of PSD3/PSR is currently open. A full adoption of the EU model appears unlikely given the fundamentally different regulatory approach. Selective adjustments – particularly regarding fraud prevention, IBAN-Name Check and Open Banking standards – are, however, likely and already in preparation. The Swiss Bankers Association, with its multilateral agreement on Open Finance from summer 2023, has adopted a market-driven approach aimed at setting standards without government intervention.

5. Implications for the Swiss FinTech Industry

5.1 Market Access and Licensing Strategy

Swiss FinTechs with a European growth strategy must reconsider their licensing strategy. While the consolidation of payment and e-money institutions under PSD3 simplifies the licensing regime, it simultaneously raises the requirements for own funds, governance and operational resilience. Those that have previously operated under an e-money institution licence must carefully examine the transitional provisions. For Swiss providers without an EU subsidiary, the question of whether market entry via a dedicated EU vehicle or through partnerships with licensed actors (Banking-as-a-Service) is more economically viable becomes more pressing.

5.2 Open Banking and Open Finance

The EU is moving considerably more decisively in the area of Open Banking than Switzerland. While in the EU standardised APIs will become mandatory once the PSR takes effect, and the FIDA Regulation extends access to further financial data, Switzerland relies on a market-driven approach. For Swiss FinTechs, this creates a dual burden: on the one hand, they must align with EU standards in order to remain interoperable; on the other, there is no domestic regulatory obligation on banks to open their interfaces, which complicates market access. The competitiveness of the Swiss FinTech ecosystem therefore depends substantially on whether viable industry initiatives can be established.

5.3 Fraud Prevention and Liability

The PSR’s tightened liability rules will also have an impact in Switzerland. Swiss banks and payment service providers that interact with EU customers must equip their fraud prevention systems accordingly. Moreover, it is to be expected that Swiss courts will interpret the duty of care standards for payment service providers in light of international standards. Even today, civil case law on bank liability in phishing and spoofing attacks shows a trend towards stricter standards of care. The IBAN-Name Check is likely to be introduced in the Swiss market in the medium term as well – for example via the SIX infrastructure.

5.4 De-Risking and Account Opening

The right of non-bank payment service providers to access accounts at credit institutions, as provided for in the PSR, addresses a problem that is at least as pronounced in Switzerland. Swiss FinTechs regularly report difficulties in opening business accounts or the termination of existing relationships for compliance reasons. An analogous regulation under Swiss law is under discussion but remains politically contentious. For the industry, the banking relationship thus remains a central operational risk factor.

5.5 Data Protection and Cybersecurity

The PSR is closely interlinked with the GDPR, the DORA Regulation (Digital Operational Resilience Act) and the Cyber Resilience Act. Swiss providers operating in the EU market must take a holistic view of these interlocking regulatory frameworks. In particular, the DORA requirements for ICT risk management, third-party management and the reporting of severe ICT incidents have applied since 17 January 2025 and affect Swiss companies insofar as they are classified as critical third-party service providers of EU financial institutions.

5.6 Competitive Consequences

Overall, the reform strengthens the position of established players with sufficient resources for compliance, while smaller FinTechs face significant scaling hurdles. At the same time, it opens opportunities for new business models – particularly in the areas of fraud prevention, identity verification and API aggregation. The Swiss location can preserve its attractiveness if it succeeds in combining regulatory clarity with innovation-friendliness. The FinTech licence under Art. 1b BankG, the FINMA sandbox and the DLT legislation provide good starting points for this purpose.

6. Strategic Recommendations

From a legal and business perspective, the following strategic recommendations arise for Swiss FinTechs and banks:

• Regulatory Monitoring: The trilogue negotiations on PSD3/PSR must be closely followed, as significant detailed provisions may still change. A continuous gap analysis between PSD2 compliance and future requirements is indispensable.
• Licensing Strategy: The question of optimal EU licensing (own subsidiary, partnership with a licensed provider, Banking-as-a-Service) should be reassessed in light of the consolidated PSD3 licence.
• Open Banking Readiness: Swiss providers should align with the EU API standards and actively engage in industry initiatives to ensure interoperability.
• Fraud Prevention Architecture: The implementation of IBAN-Name Check, robust transaction monitoring and mechanisms for information exchange between providers should be pursued regardless of the formal applicability of the PSR.
• Legal Documentation: Terms and conditions, privacy notices and authentication procedures should be adapted to PSR requirements at an early stage, insofar as there is an EU nexus.
• Dialogue with FINMA and SECO: Active participation in the consultation process on future FinfraG amendments and in industry policy discussions on autonomous adoption is in the sector’s own interest.

7. Conclusion

PSD3 and PSR mark a paradigm shift in European payment services regulation. Legally, they have no direct effect in Switzerland; in practice, however, they will shape the domestic market to a considerable extent. For Swiss FinTechs, the challenge is twofold: on the one hand, they must adapt their EU activities to the new requirements; on the other, they operate domestically within a legal framework that is deliberately more liberal and principles-based.

This asymmetry is both an opportunity and a risk. It opens scope for innovation, but at the same time requires a high degree of regulatory sensitivity and strategic foresight. The Swiss financial centre is well advised to practise autonomous adoption where this is warranted for the protection of consumers and for maintaining international connectivity – without forfeiting the advantage of a flexible, principles-based regulatory model. For the FinTech industry, the coming decade will depend on the ability to efficiently adapt EU standards while at the same time leveraging Swiss strengths – legal certainty, political stability and a liberal innovation framework – as a differentiating factor.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.